Configure internet access for workload VMs

You configure the internet access network service for VMware workloads in Google Cloud VMware Engine on a per-region basis. You can direct internet-bound traffic from your workload VMs by using Google Cloud's internet edge or an on-premises connection.

Workload VMs that can access the internet can also access Google Cloud services using Private Google Access. Access to Google Cloud services using Private Google Access stays within Google Cloud networks and does not exit to the internet.

The internet access network service supports the following:

Up to 100 public IP addresses for each region
Up to 300 firewall rules per firewall table
Throughput of up to 2 Gbps across 128k concurrent connections for each region
TCP, UDP, and ICMP protocols

The internet access network service doesn't support Application Level Gateway (ALG) functionality.

Before you begin

To make changes to the internet access settings of your private cloud, you must have admin access to VMware Engine.

To enable internet access, you need an edge services CIDR address range. When you enable the internet access or public IP network services, gateways deploy in the service tenant context.

Use the edge services CIDR address range for addressing VMware Engine internet and public IP gateways. The address range must meet the following requirements:

Comply with RFC 1918 as a private range.
Have no overlap with any other VMware Engine address ranges, such as the address range used for management appliances or NSX-T segments.
Have no overlap with any address ranges being advertised to VMware Engine, such as those used for Virtual Private Cloud (VPC) network subnets or on-premises networks.
Dedicate an IP address range with 26 subnet mask bits (/26).

gcloud and API requirements

To use the gcloud command line tool or the API to manage your VMware Engine resources, we recommend configuring the tools as described below.

gcloud

Set your default project ID:
```
gcloud config set project PROJECT_ID
```

Set a default region and/or zone:

gcloud config set compute/region REGION

gcloud config set compute/zone ZONE

For more information on the gcloud vmware tool, reviewing the Cloud SDK reference docs.

API

API examples in this documentation set use the cURL command-line tool to query the API. A valid access token is required as part of the cURL request. There are many ways to get a valid access token; the following steps use the gcloud tool to generate a access token:

Generate access token and export to TOKEN

export TOKEN=`gcloud auth print-access-token`

Verify that TOKEN is set properly
```
echo $TOKEN

Output:
TOKEN
```

Now, use the authorization token in your requests to the API. For example:

curl -X GET -H "Authorization: Bearer \"$TOKEN\""  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations

Python

Python code samples in this documentation use the VMware Engine library to communicate with the API. To be able to use this approach, the library needs to be installed and the Application Default Credentials should be configured.

Download and install the Python library
```
 pip install google-cloud-vmwareengine
```
Configure the ADC information by executing those command in your shell
```
  gcloud auth application-default login
```
or use a Service Account key file
```
  export GOOGLE_APPLICATION_CREDENTIALS="FILE_PATH"
```

For more information about the library, visit the reference page or view code samples on GitHub.

Configure the internet access service

You can allow your workload VMs to have access to the internet by enabling the internet access network service. By default, the internet access network service is disabled.

Enable the internet access service in a region

Console

To enable the internet access service in a region, do the following:

Access the VMware Engine portal.
Go to Network > Regional settings.
In the row corresponding to the region of interest, select Edit. If the region is not listed in the summary table, add the region by clicking Add region.
Toggle Internet access to Enabled.
- You can enable internet access and leave public IP service disabled. If you do so, point-to-site VPN and public IP allocation are not available.
In the Edge Services CIDR field, enter the address range to use when addressing the VMware Engine internet gateway (/26 address range).
Click Submit.

The status for the service changes to Enabled when the operation is complete, usually after several minutes.

gcloud

Using the gcloud tool, run the following command to create a network policy:

gcloud vmware network-policies create NETWORK_POLICY_NAME \
    --vmware-engine-network projects/PROJECT_ID/locations/LOCATIONS/vmwareEngineNetworks/NETWORK_NAME \
    --edge-services-cidr IP_RANGE \
    --location REGION --internet-access

Replace the following:

NETWORK_POLICY_NAME: the name for this network policy. This must be in the format REGION-default.
NETWORK_NAME: the network this network policy applies to
IP_RANGE: the CIDR range to use for internet access and external IP access gateways, in CIDR notation. An RFC 1918 CIDR block with a "/26" prefix is required.
REGION: the region of the network

API

curl -X POST -H "Authorization: Bearer TOKEN"  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/networkPolicies?networkPolicyId=NETWORK_POLICY_NAME -d "{
  "vmwareEngineNetwork":"projects/PROJECT_ID/locations/REGION/vmwareEngineNetworks/NETWORK_NAME",
  "edgeServiceCidr":IP_RANGE,
  "internetAccess: {
    "enabled": true
   },
   "externalIp": {
     "enabled": true
   }
}"

Replace the following:

NETWORK_POLICY_NAME: the name for this network policy. This must be in the format REGION-default.
PROJECT_ID: the project ID for this request
REGION: the region of the network
IP_RANGE: the CIDR range to use for internet access and external IP access gateways, in CIDR notation. An RFC 1918 CIDR block with a "/26" prefix is required.
NETWORK_NAME: the network this network policy applies to, must be in the format >REGION-default

Python

from google.api_core import operation
from google.cloud import vmwareengine_v1


def create_network_policy(
    project_id: str,
    region: str,
    ip_range: str,
    internet_access: bool,
    external_ip: bool,
) -> operation.Operation:
    """
    Creates a new network policy in a given network.

    Args:
        project_id: name of the project you want to use.
        region: name of the region you want to use. I.e. "us-central1"
        ip_range: the CIDR range to use for internet access and external IP access gateways,
            in CIDR notation. An RFC 1918 CIDR block with a "/26" suffix is required.
        internet_access: should internet access be allowed.
        external_ip: should external IP addresses be assigned.

    Returns:
        An operation object representing the started operation. You can call its .result() method to wait for
        it to finish.

    Raises:
        ValueError if the provided ip_range doesn't end with /26.
    """
    if not ip_range.endswith("/26"):
        raise ValueError(
            "The ip_range needs to be an RFC 1918 CIDR block with a '/26' suffix"
        )

    network_policy = vmwareengine_v1.NetworkPolicy()
    network_policy.vmware_engine_network = f"projects/{project_id}/locations/{region}/vmwareEngineNetworks/{region}-default"
    network_policy.edge_services_cidr = ip_range
    network_policy.internet_access.enabled = internet_access
    network_policy.external_ip.enabled = external_ip

    request = vmwareengine_v1.CreateNetworkPolicyRequest()
    request.network_policy = network_policy
    request.parent = f"projects/{project_id}/locations/{region}"
    request.network_policy_id = f"{region}-default"

    client = vmwareengine_v1.VmwareEngineClient()
    return client.create_network_policy(request)

Disable the internet access service in a region

To disable the internet access service in a region, do the following:

Console

Access the VMware Engine portal.
Go to Network > Regional settings.
In the row corresponding to the region of interest, select Edit.
Toggle Internet access to Disabled.
- You must disable public IP service before you can disable internet access.
- You must delete any allocated public IP addresses and point-to-site VPN gateways before you can disable public IP service.
Click Submit.

The status for the service changes to Disabled when the operation is complete, usually after several minutes.

gcloud

Using the gcloud tool, run the following command to update network policy:

gcloud vmware network-policies update NETWORK_POLICY_NAME \
  --no-internet-access --location REGION

Replace the following:

NETWORK_POLICY_NAME: the name for this network policy
REGION: the region of the network

API

curl -X PATCH -H "Authorization: Bearer TOKEN"  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/networkPolicies/NETWORK_POLICY_NAME?updateMask=internetAccess.enabled,externalIp.enabled -d "{
  "internetAccess: {
    "enabled": false
 },
  "externalIp": {
    "enabled": false
   }
}"

Replace the following:

PROJECT_ID: the project ID for this request
REGION: the region of the network
NETWORK_POLICY_NAME: the name for this network policy

Python

from google.api_core import operation
from google.cloud import vmwareengine_v1


def update_network_policy(
    project_id: str, region: str, internet_access: bool, external_ip: bool
) -> operation.Operation:
    """
    Updates a network policy in a given network.

    Args:
        project_id: name of the project you want to use.
        region: name of the region you want to use. I.e. "us-central1".
        internet_access: should internet access be allowed.
        external_ip: should external IP addresses be assigned.

    Returns:
        An operation object representing the started operation. You can call its .result() method to wait for
        it to finish.
    """

    client = vmwareengine_v1.VmwareEngineClient()
    request = vmwareengine_v1.UpdateNetworkPolicyRequest()
    request.update_mask = "internetAccess.enabled,externalIp.enabled"
    network_policy = vmwareengine_v1.NetworkPolicy()
    network_policy.name = (
        f"projects/{project_id}/locations/{region}/networkPolicies/{region}-default"
    )
    network_policy.vmware_engine_network = f"projects/{project_id}/locations/{region}/vmwareEngineNetworks/{region}-default"
    network_policy.internet_access.enabled = internet_access
    network_policy.external_ip.enabled = external_ip

    request.network_policy = network_policy

    return client.update_network_policy(request)

Use an on-premises connection for workload internet access

You can optionally direct internet-bound traffic from your workload VMs in VMware Engine through an on-premises connection. Traffic is directed based on the state of the following:

Default route (0.0.0.0/0) advertisement from on-premises
VMware Engine public IP service
VMware Engine internet access service
VPC service controls on the VPC peering connection between your VPC network and VMware Engine

Enable routing internet traffic through an on-premises connection

To access the internet from your workload VMs through an on-premises connection, you must complete two steps:

Advertise the default route (0.0.0.0/0) from on-premises over an on-premises connection (Cloud VPN or Cloud Interconnect). Check the Cloud VPN gateway or Cloud Router where the on-premises connection to your VPN terminates.
Disable the internet access and public IP service for the VMware Engine network.

Console

Access the VMware Engine portal
Go to Network > Regional settings.
Click the Edit icon for the region where you want to enable internet access using an on-premises connection.
Toggle Public IP to Disabled.

Note: You must delete any allocated public IP address and point-to-site VPN gateways before you can disable the public IP service.
Toggle Internet access to Disabled.
Click Submit.
Enable VPC service controls on the VPC peering connection between your VPC network and VMware Engine using the gcloud services vpc-peerings enable-vpc-service-controls command:
```
gcloud services vpc-peerings enable-vpc-service-controls \
   --network=VPC_NETWORK \
   --service=servicenetworking.googleapis.com
```

gcloud

Using the gcloud tool, run the following command to update network policy:

gcloud vmware network-policies update NETWORK_POLICY_NAME \
  --no-internet-access --no-external-ip-address --location REGION

Replace the following:

NETWORK_POLICY_NAME: the name for this network policy
REGION: the region of the network

Then, enable VPC service controls on the VPC peering connection between your VPC network and VMware Engine using the gcloud services vpc-peerings enable-vpc-service-controls command:

gcloud services vpc-peerings enable-vpc-service-controls \
   --network=VPC_NETWORK \
   --service=servicenetworking.googleapis.com

API

curl -X PATCH -H "Authorization: Bearer TOKEN"  -H "Content-Type: application/json; charset=utf-8" https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/REGION/networkPolicies/NETWORK_POLICY_NAME?updateMask=internetAccess.enabled,externalIp.enabled -d "{
  "internetAccess: {
    "enabled": false
   },
  "externalIp: {
    "enabled": false
   }
}"

Then, enable VPC service controls on the VPC peering connection between your VPC network and VMware Engine using the gcloud services vpc-peerings enable-vpc-service-controls command:

gcloud services vpc-peerings enable-vpc-service-controls \
   --network=VPC_NETWORK \
   --service=servicenetworking.googleapis.com

Python

Set the internet_access and external_ip to False.

from google.api_core import operation
from google.cloud import vmwareengine_v1


def update_network_policy(
    project_id: str, region: str, internet_access: bool, external_ip: bool
) -> operation.Operation:
    """
    Updates a network policy in a given network.

    Args:
        project_id: name of the project you want to use.
        region: name of the region you want to use. I.e. "us-central1".
        internet_access: should internet access be allowed.
        external_ip: should external IP addresses be assigned.

    Returns:
        An operation object representing the started operation. You can call its .result() method to wait for
        it to finish.
    """

    client = vmwareengine_v1.VmwareEngineClient()
    request = vmwareengine_v1.UpdateNetworkPolicyRequest()
    request.update_mask = "internetAccess.enabled,externalIp.enabled"
    network_policy = vmwareengine_v1.NetworkPolicy()
    network_policy.name = (
        f"projects/{project_id}/locations/{region}/networkPolicies/{region}-default"
    )
    network_policy.vmware_engine_network = f"projects/{project_id}/locations/{region}/vmwareEngineNetworks/{region}-default"
    network_policy.internet_access.enabled = internet_access
    network_policy.external_ip.enabled = external_ip

    request.network_policy = network_policy

    return client.update_network_policy(request)

Then, enable VPC service controls on the VPC peering connection between your VPC network and VMware Engine using the gcloud services vpc-peerings enable-vpc-service-controls command:

gcloud services vpc-peerings enable-vpc-service-controls \
   --network=VPC_NETWORK \
   --service=servicenetworking.googleapis.com

Disable routing internet traffic through an on-premises connection

To disable routing internet traffic from your workload VMs through an on-premises connection, stop advertising the default route (0.0.0.0/0) and disable VPC service controls on the VPC peering connection.

To disable VPC service controls on the VPC peering connection between your VPC network and VMware Engine, use the gcloud services vpc-peerings disable-vpc-service-controls command:

gcloud services vpc-peerings disable-vpc-service-controls \
    --network=VPC_NETWORK \
    --service=servicenetworking.googleapis.com

What's next

Learn how to allocate a public IP address for a VM in your private cloud
Learn how firewall tables and firewall rules filter network traffic to and from private cloud resources